Name saving issue - Githubissues

pmmp / PocketMine-MP

A server software for Minecraft: Bedrock Edition in PHP

https://pmmp.io

GNU Lesser General Public License v3.0

3.26k stars 1.54k forks source link

Name saving issue #4020

Closed minijaham closed 3 years ago

minijaham commented 3 years ago

Issue description

Steps will explain.

Steps to reproduce the issue

Generate two accounts with same spelling but different capital usage(i.e. minijaham and mInIjaham).
Log in with the first account and give op.
Log in with second account and you should have op in that account as well.

OS and versions

PocketMine-MP: First version - 3.17.3 https://github.com/pmmp/PocketMine-MP/commit/b296ae1b872aa0dbb6d118993aaab70913326b13
PHP: 7.3
Server OS:
Game version: PE/Win10

Plugins

If you remove all plugins, does the issue still occur? Yes
If the issue is not reproducible without plugins:
- Have you asked for help on our forums before creating an issue? I have, but I'm still waiting for an answer
- Can you provide sample, minimal reproducing code for the issue? If so, paste it in the bottom section No reproducing code

Crashdump, backtrace or other files

AkmalFairuz commented 3 years ago

This bug cause from gamertag duplicate when creating account Xbox Live, not from server software.

minijaham commented 3 years ago

This was tested with other usernames as well.

A lot of servers actually had the same issue.

AkmalFairuz commented 3 years ago

Even Fallentech, Hyperlands, etc staff account got hacked by this method.

minijaham commented 3 years ago

Exactly. Thanks to alvin though, he's told me a solution to this...

AkmalFairuz commented 3 years ago

Have you report this bug to Microsoft or Xbox?

minijaham commented 3 years ago

Have you report this bug to Microsoft or Xbox?

Not yet.

dktapps commented 3 years ago

well done, you've just advertised a security vulnerability to hundreds of people...

I'm already aware of this issue thanks to people who informed me in a more responsible manner by emailing team@pmmp.io or otherwise contacting us privately.

minijaham commented 3 years ago

How come the issue hasn't been solved yet, if you were already aware of it?

AkmalFairuz commented 3 years ago

Just wait Microsoft fix this bug. The solution is save real player gamertag without converted to lowercase.

Veixlix commented 3 years ago

How come the issue hasn't been solved yet, if you were already aware of it?

Because the issue lays with xbox usernames being allowed to have other unicode letters in their names.